As we’ve discussed multiple times in the TeleMessage blog, it’s been made clear that the Health Insurance Portability and Accountability Act (HIPAA) has had a far-reaching impact on IT and information security since its inception. With the creation of the HITECH Act in 2009 and the Omnibus Rule in 2013, the HIPAA Security Rule requirements are front and center for all organizations – both large and small – that do business in the healthcare industry (and even those businesses who aren’t in healthcare, following HIPAA guidelines is just good business practice).
Some HIPAA Changes You Might Not Be Aware Of
If you do business in or around the healthcare industry in the U.S., you’re no doubt familiar with HIPAA – the Health Insurance Portability and Accountability Act of 1996. HIPAA applies to organizations in the healthcare industry that process or store protected health information (PHI) such as healthcare providers, insurance companies, and even private businesses who manage their own health plans – all of which are referred to as covered entities (CEs).
In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act tightened down on some of the original HIPAA requirements to ensure that controls and enforcement were properly implemented, including encryption controls, breach notification, and a database that publicly outlines the details of breaches affecting 500 or more individuals. Even with the tighter requirements of the HITECH Act, HIPAA-related security breaches were still occurring. In fact, thus far in 2014, over 100 PHI-related breaches have been publicized in HHS’s database. And those are the known breaches. What else is happening that hasn’t yet been discovered?
Fun fact: Medical data is becoming the next revenue stream for hackers The personal information found in health care records fetches hefty sums on underground markets, making any company that stores such data a very attractive target for attackers. – Computerworld, March 20, 2015
The fact of the matter is that mere policies aren’t enough to protect sensitive information. That is why, in 2013, The U.S. Department of Health and Human Services (a.k.a. HHS), the federal agency responsible for HIPAA, saw an opportunity to further tighten down on the HIPAA rules, otherwise known as the Omnibus Rule. What is the Omnibus Rule?
In broad terms, the Omnibus Rule addresses the following three specific areas that have a bearing on physicians as either covered entities or business associates:
- Modifies the HIPAA Privacy, Security, and Enforcement regulations in the following ways:
- Makes business associates and subcontractors of business associates of covered entities directly liable for compliance with certain of the HIPAA Privacy and Security Rule requirements
- Strengthens the limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising purposes, and prohibits the sale of PHI without individual authorization
- Expands an individual’s rights to receive electronic copies of his or her health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out-of-pocket in full
- Requires modifications to a covered entity’s Notice of Privacy Practices
- Adopts the additional HITECH Act enhancements to the Enforcement Rule, particularly regarding privacy breaches and penalties
- Creates an increased and tiered civil money penalty structure for security breaches under the HITECH Act.
- Modifies and clarifies the definition of what constitutes a reportable privacy breach and the factors covered entities and business associates must consider when determining whether a reportable breach has occurred.
What does this mean in plain English? Early on, a business associate agreement between CEs and those organizations with whom they did business was enough to satisfy the HIPAA requirements. But at the end of the day, contracts mean very little in terms of security breach prevention. Now, it’s been made clear that the specific Security Rule requirements and the HITECH Act apply to all business associates and their subcontractors. Suddenly HIPAA compliance has a much greater reach.
All in all, the HIPAA Security Rule, HITECH Act, and the latest Omnibus Rule requirements are nothing magical or mysterious or even that difficult to implement. They’re common sense, decades-old information security principles that every business should already have in place (which is what we’ve been saying all along). Technically speaking, the original Security Rule required that BAs comply with the HIPAA requirements. However, the way the regulation was written, it ended up being more bark than bite and no one took it seriously. The HITECH Act, and especially the Omnibus Rule have clarified what’s expected of BAs and their subcontractors that process, store, or access protected health information (PHI).
Why Aren’t BAAs Good Enough?
It’s time to go beyond the contract and ensure that all parties in the HIPAA equation are doing what needs to be done to truly secure PHI – from network endpoints to the cloud and everything in between. Business associate agreements are a good fall back plan when something goes awry and accountability (blame) needs to be assigned. Still, there’s not a contract in the world that’s going to protect your business from the time, money, and effort required of your executives, PR, IT, legal and related staff – not to mention the hit to your bottom line – when a security breach occurs.
What This Means for Your Business
If your business handles PHI in any shape or form, and you aren’t already HIPAA compliant (or constantly improving in order to remain HIPAA compliant), you’ve got to get rolling with HIPAA security compliance TODAY. The good news is that it doesn’t have to be that difficult (read How Do You Become HIPAA Compliant).
The first step is acknowledging that HIPAA applies to your business. The next step is getting to know your network better, especially where PHI is stored and flows throughout the environment. The last step is doing something about it.